The 25 Most Popular Passwords of 2017: You Sweet, Misguided Fools

Photo: Getty
Photo: Getty

Every year, SplashData compiles a list of the most popular passwords based on millions of stolen logins made public in the last year. And each time, we own ourselves. Hard. 2017 is no exception.


You probably already know the top two choices: Based on more than five million leaked passwords, they are “123456” and “password.” There are also some new additions this year, including “starwars,” “monkey,” “iloveyou,” “whatever,” and “freedom,” to name a few. Most aptly, perhaps, is the new addition “letmein,” and most ironically includes “trustno1.” A password is marked as new by SplashData if it didn’t appear in the previous year’s list.

“Unfortunately, while the newest episode may be a fantastic addition to the Star Wars franchise, ‘starwars’ is a dangerous password to use,” Morgan Slain, CEO of SplashData, said in a press release. “Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words.”

SplashData hopes this list will encourage people to take better safety precautions online. But according to the data from this year and years past, we are still a bunch of idiots—our astonishingly weak passwords at the mercy of even the most amateur hackers.

SplashData noted that the passwords evaluated for this year’s list were predominantly from users in North America and Western Europe, and they did not include security breaches for either adult websites or the Yahoo hack.

A strong password should be long and avoid common phrases. And as security breaches become the norm, it’s important that you don’t reuse your passwords. A password manager can not only help you keep track of your passwords, but it can help you generate secure ones.

Anyways, you can check out SplashData’s seventh annual list below. To which I say: areyoufuckingkiddingme1234.

1. 123456 (Unchanged)

2. Password (Unchanged)

3. 12345678 (Up 1)

4. qwerty (Up 2)

5. 12345 (Down 2)

6. 123456789 (New)

7. letmein (New)

8. 1234567 (Unchanged)

9. football (Down 4)

10. iloveyou (New)

11. admin (Up 4)

12. welcome (Unchanged)

13. monkey (New)

14. login (Down 3)

15. abc123 (Down 1)

16. starwars (New)

17. 123123 (New)

18. dragon (Up 1)

19. passw0rd (Down 1)

20. master (Up 1)

21. hello (New)

22. freedom (New)

23. whatever (New)

24. qazwsx (New)

25. trustno1 (New)



The problem with advocating strong passwords is adoption.

Relying on a password manager doesn’t really breed good practices so much as throw the ball in someone else’s court, with a hope and a prayer that their service isn’t compromised (spoiler; it probably will be or has been).

Relying on a complex rule of alpha-numeric, special symbols, and varying case only works if the service allows it... and none of them seem to agree on what kind of password is ‘good’ or how long a password should be allowed before you are forced to change it.

The best method is, in my opinion, a password phrase that is fairly long but otherwise meaningless. The ones used in Ready Player One are great examples:

  1. You have been recruited by the Star League to defend the frontier against Xur and the Ko-Dan Armanda
  2. No one in the world gets what they want and that is beautiful
  3. Reindeer Flotilla Setec Astronomy

But even then you run into the same issues... different services have different rules. Spaces might not be allowed, the length might exceed what they allow. These don’t have special characters or numerals so they might not pass muster.

We lament that so many people use weak passwords, but I would argue that these occur in no small part because the services on which so many people rely rather force you into a mindset of either relying on someone else to handle your passwords, or in using stupid / weak passwords to accommodate their arbitrary password rules.